Worst case QC-MDPC decoder for McEliece cryptosystem

TL;DR

This paper analyzes the worst-case decoding complexity of QC-MDPC codes used in the McEliece cryptosystem, highlighting how to optimize for security against timing side-channel attacks by focusing on worst-case performance.

Contribution

It demonstrates that tuning decoding algorithms for worst-case performance differs from optimizing average case, informing secure implementation strategies.

Findings

Worst-case decoding time can be significantly higher than average case.

Tuning for worst-case performance can improve resistance to timing side-channel attacks.

Guidelines for engineering secure QC-MDPC-McEliece implementations are provided.

Abstract

McEliece encryption scheme which enjoys relatively small key sizes as well as a security reduction to hard problems of coding theory. Furthermore, it remains secure against a quantum adversary and is very well suited to low cost implementations on embedded devices. Decoding MDPC codes is achieved with the (iterative) bit flipping algorithm, as for LDPC codes. Variable time decoders might leak some information on the code structure (that is on the sparse parity check equations) and must be avoided. A constant time decoder is easy to emulate, but its running time depends on the worst case rather than on the average case. So far implementations were focused on minimizing the average cost. We show that the tuning of the algorithm is not the same to reduce the maximal number of iterations as for reducing the average cost. This provides some indications on how to engineer the QC-MDPC-McEliece scheme to resist a timing side-channel attack.